Revision as of 10:13, 9 September 2010

This section introduces the basic concepts, methodology, and general troubleshooting guidelines for problems that may occur when configuring and using digital certificates in Cisco MDS 9000 Family of multilayer directors and fabric switches.

Troubleshooting Digital Certificates

This chapter describes how to troubleshoot digital certificates created and maintained in the Cisco MDS 9000 Family. It includes the following sections:

Overview

Initial Troubleshooting Checklist

Digital Certificate Issues

Overview

Public Key Infrastructure (PKI) support provides the process for the Cisco MDS 9000 Family of switches to obtain and use digital certificates for secure communication in the network. PKI support provides manageability and scalability for IPsec/IKE and SSH.

Digital Certificates

Digital signatures, based on public key cryptography, digitally authenticate devices and individual users. In public key cryptography, each device or user has a key pair containing both a private key and a public key. Digital certificates link the digital signature to the remote device. A digital certificate contains information to identify a user or device, such as the name, serial number, company, department, or IP address. It also contains a copy of the entity's public key. The certificate is itself signed by a certificate authority (CA), a third party that is explicitly trusted by the receiver to validate identities and to create digital certificates.

Certificate Authorities

The trust model used in PKI support is hierarchical with multiple configurable trusted CAs. Each participating entity is configured with a list of CAs to be trusted so that the peer's certificate obtained during the security protocol exchanges can be verified, provided it has been issued by one of the locally trusted CAs. To accomplish this, the CA's self-signed root certificate (or certificate chain for a subordinate CA) is locally stored. The MDS switch can also enroll with a trusted CA (trust point CA) to obtain an identity certificate (for example, for IPsec/IKE).

RSA Key Pairs and Identity Certificates

You can generate one or more RSA key pairs and associate each RSA key pair with a trusted CA where the MDS switch intends to enroll to obtain an identity certificate. The MDS switch needs only one identity per CA, which consists of one key pair and one identity certificate per CA.

Peer Certificate Verification

The peer certificate verification process involves the following steps:

Verifies that the peer certificate is issued by one of the locally trusted CAs.

Verifies that the peer certificate is valid (not expired) with respect to current time.

Verifies that the peer certificate is not yet revoked by the issuing CA.

CRLs and OCSP Support

Two methods are supported for verifying that the peer certificate has not been revoked: certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP). The switch uses one or both of these methods to verify that the peer certificate has not been revoked.

CRLs are maintained by CAs to give information of prematurely revoked certificates, and the CRLs are published in a repository.

Cisco MDS SAN-OS allows the manual configuration of pre-downloaded CRLs for the trusted CAs, and then caches them in the switch bootflash (cert-store). During the verification of a peer certificate by IPsec or SSH, the issuing CA's CRL is consulted only if the CRL has already been cached locally and the revocation checking is configured to use CRL. Otherwise, CRL checking is not performed and the certificate is considered to be not revoked if no other revocation checking methods are configured.

OCSP facilitates online certificate revocation checking. You can specify an OCSP URL for each trusted CA.

Import and Export Support for Certificates and Associated Key Pairs

As part of the CA authentication and enrollment process, the CA certificate (or the entire chain in the case of a subordinate CA) and the identity certificates can be imported in standard PEM (base64) format.

The complete identity information in a trust point can be exported to a file in the password-protected PKCS#12 standard format. The information in a PKCS#12 file consists of the RSA key pair, the identity certificate, and the CA certificate (or chain).

PKI Enrollment Support

The PKI enrollment process for a switch involves the following steps:

1. Create a trust point and authenticate the CA to it.

2. Generate an RSA private and public key pair on the switch.

3. Associate the RSA key pair to the trust point.

4. Generate a certificate request in standard format and forward it to the CA.

5. Might require manual intervention at the CA server by the CA administrator to approve the enrollment request when it is received by the CA.

6. Receive the issued certificate back from the CA, signed with the CA's private key.

7. Write the certificate into a nonvolatile storage area on the switch (bootflash).

Cisco MDS SAN-OS supports certificate retrieval and enrollment using a manual cut-and-paste method. Cut-and-paste enrollment literally means you must cut and paste the certificate requests and resulting certificates between the switch (using a console, Telnet, or SSH connection) and the CA, as follows:

1. Create an enrollment certificate request, which is displayed in base64-encoded text form.

2. Cut and paste the encoded certificate request text in an e-mail message or in a web form and send it to the CA.

3. Receive the issued certificate (in base64-encoded text form) from the CA in an e-mail message or in a web browser download.

4. Cut and paste the issued certificate to the switch using the certificate import facility.

Initial Troubleshooting Checklist

Verify that the fully qualified domain name (FQDN) has been configured on the switch.

Verify that all the CA certificates in a CA chain for a trusted CA are added to the switch if the CA is not self-signed.

Verify that you have installed your identity certificates.

Verify that you have revoked your identity certificates if you delete the associated RSA key pairs.

Common Troubleshooting Tools in Fabric Manager

Choose Switches > Security > PKI to access digital certificates.

Common Troubleshooting Commands in the CLI

The following commands may be useful in troubleshooting digital certificate issues:

show crypto ca certificates

show crypto key

show crypto ca crl

show crypto ca trustpoint

Digital Certificate Issues

This section describes troubleshooting digital certificates and includes the following topics:

CA Will Not Generate Identity Certificate

Cannot Export Identity Certificate in PKCS#12 Format

Certificate Fails at Peer

PKI Fails After Reboot

Cannot Import Certificate and RSA Key Pairs from Backup

CA Will Not Generate Identity Certificate

Symptom CA will not generate an identity certificate.

Table 24-2 CA Will Not Generate Identity Certificate

Symptom

Possible Cause

Solution

CA will not generate an identity certificate.

FQDN is not configured.

Configure the host name and the IP domain name. Choose Switches in Fabric Manager and set the LogicalName field to the host name.Choose Switches > Interfaces > Management > DNS and set the DefaultDomainName field.

Certificate Fails at Peer

Revoke certificate and re-create. See the "Configuring Certificates on the MDS Switch Using Fabric Manager" section or the "Configuring Certificates on the MDS Switch Using the CLI" section.

Local and remote clocks are not synchronized.

If the clocks are not synchronized, the certificate may appear to be expired. Validate the clocks on the local and peer device.

Peer does not recognize CA issuing the certificate.

Create a certificate for the CAs known to the peer device. See the "Configuring Certificates on the MDS Switch Using Fabric Manager" section or the "Configuring Certificates on the MDS Switch Using the CLI" section.

Configuring Certificates on the MDS Switch Using Fabric Manager

To configure certificates on an MDS switch using Fabric Manager, follow these steps:

1. Choose Switches and set the LogicalName field to configure the switch host name.

2. Choose Switches > Interfaces > Management > DNS and set the DefaultDomainName field to configure the DNS domain name for the switch.

3. Follow these steps to create an RSA key pair for the switch:

a. Choose Switches > Security > PKI and select the RSAKey-Pair tab.

b. Click Create Row and set the name and size field.

c. Check the Exportable check box and click Create.

4. Follow these steps to create a trust point and associate the RSA key pairs with it:

d. Click... in the URL field and select the CA certificate from bootflash.

e. Click Apply Changes to authenticate the CA that you want to enroll to the trust point.

f. Click the Trust Point Actions tab in the Information Pane.

g. Make a note of the CA certificate fingerprint displayed in the IssuerCert FingerPrint column for the trust point row in question. Compare the CA certificate fingerprint with the fingerprint already communicated by the CA (obtained from the CA web site). If the fingerprints match exactly, accept the CA by selecting the certconfirm trust point action. Otherwise, reject the CA by selecting the certnoconfirm trust point action.

h. If you selected certconfirm in step g, select the Trust Point Actions tab, select certconfirm from the Command drop-down menu and then click Apply Changes.

i. If you selected certnoconfirm inStep g, select the Trust Point Actions tab, select certnoconfirm from the Command drop-down menu, and then click Apply Changes.

8. Follow these steps to generate a certificate request for enrolling with that trust point:

a. Select the Trust Point Actions tab in the Information pane.

b. Select certreq from the Command drop-down menu. This generates a PKCS#10 certificate signing request (CSR) needed for an identity certificate from the CA corresponding to this trust point entry.

c. Enter the output file name for storing the generated certificate request. It should be specified in the bootflash:filename format and will be used to store the CSR generated in PEM format.

d. Enter the challenge password to be included in the CSR. The challenge password is not saved with the configuration. This password is required in the event that your certificate needs to be revoked, so you must remember this password.

e. Click Apply Changes to save the changes.

9. Request an identity certificate from the CA.

Note:

The CA may require manual verification before issuing the identity certificate.

10. Follow these steps to import the identity certificate:

a. In Device Manager, choose Admin > Flash Files and select Copy, then select tftp from the Protocol radio buttons to tftp copy the CA certificate to bootflash.

c. Select the certimport option from the Command drop-down menu to import an identity certificate in this trust point.

Note:

The identity certificate should be available in PEM format in a file in bootflash.

d. Enter the name of the certificate file that was copied to bootflash in the URL field in the bootflash:filename format.

e. Click 'Apply Changes 'to save your changes.

If successful, the values of the identity certificate and its related objects, like the certificate file name, are automatically updated with the appropriate values as per the corresponding attributes in the identity certificate.

Configuring Certificates on the MDS Switch Using the CLI

To configure certificates on an MDS switch using the CLI, follow these steps:

Step 9 Generate a certificate request for enrolling with that trust point.

Vegas-1(config)# crypto ca enroll myCA
Create the certificate request ..
Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:nbv123
The subject name in the certificate will be: Vegas-1.cisco.com
Include the switch serial number in the subject name? [yes/no]:no
Include an IP address in the subject name [yes/no]:yes
ip address:172.22.31.162
The certificate request will be displayed...
-----BEGIN CERTIFICATE REQUEST-----
MIIBqzCCARQCAQAwHDEaMBgGA1UEAxMRVmVnYXMtMS5jaXNjby5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAL8Y1UAJ2NC7jUJ1DVaSMqNIgJ2kt8rl4lKY
0JC6ManNy4qxk8VeMXZSiLJ4JgTzKWdxbLDkTTysnjuCXGvjb+wj0hEhv/y51T9y
P2NJJ8ornqShrvFZgC7ysN/PyMwKcgzhbVpj+rargZvHtGJ91XTq4WoVkSCzXv8S
VqyH0vEvAgMBAAGgTzAVBgkqhkiG9w0BCQcxCBMGbmJ2MTIzMDYGCSqGSIb3DQEJ
DjEpMCcwJQYDVR0RAQH/BBswGYIRVmVnYXMtMS5jaXNjby5jb22HBKwWH6IwDQYJ
KoZIhvcNAQEEBQADgYEAkT60KER6Qo8nj0sDXZVHSfJZh6K6JtDz3Gkd99GlFWgt
PftrNcWUE/pw6HayfQl2T3ecgNwel2d15133YBF2bktExiI6Ul88nTOjglXMjja8
8a23bNDpNsM8rklwA6hWkrVL8NUZEFJxqbjfngPNTZacJCUS6ZqKCMetbKytUx0=
-----END CERTIFICATE REQUEST-----
Vegas-1(config)#

10.Request an identity certificate from the CA.

Note:

he CA may require manual verification before issuing the identity certificate.

PKI Fails After Reboot

Symptom PKI fails after reboot.

Table 24-5 PKI Fails After Reboot

Symptom

Possible Cause

Solution

PKI fails after a reboot.

Certificates not saved to NVRAM.

Save the running-config to startup- config to save the trust point to startup. Then reimport the certificates. See the "Configuring Certificates on the MDS Switch Using Fabric Manager" section or the "Configuring Certificates on the MDS Switch Using the CLI" section.

Cannot Import Certificate and RSA Key Pairs from Backup

Symptom Cannot import certificate and RSA key pairs from backup.

Table 24-6 Cannot Import Certificate and RSA Key Pairs from Backup

Symptom

Possible Cause

Solution

Cannot import certificate and RSA key pairs from backup.

Configured trust point is not empty.

Delete the identity certificate, the CRL, and CA certificates, and then disassociate the RSA key pair from the trust point in that order. See the "Importing Certificate and RSA Key Pairs from Backup Using Fabric Manager" section or the "Importing Certificate and RSA Key Pairs from Backup Using the CLI" section.

An RSA key pair exists with the same name as the trust point that the import failed for.

5. Select the pkcs12import option from the Command drop-down menu to import the key pair, identity certificate, and the CA certificate or certificate chain in PKCS#12 format to the selected trust point.

6. Enter the input in bootflash:filename format, for the PKCS#12 file.

7. Enter the required password. The password is set for decoding the PKCS#12 data. On completion, the imported data is available in bootflash in the specified file.

8. Click Apply Changes to save the changes.

On completion the trust point is created in the RSA key pair table corresponding to the imported key pair. The certificate information is updated in the trust point.

Note:

The trust point should be empty (no RSA key pair associated with it and no CA is associated with it using CA authentication) for the PKCS#12 import to succeed.

Importing Certificate and RSA Key Pairs from Backup Using the CLI

To import certificates and RSA key pairs from a PKCS#12 backup file using the CLI, follow these steps:

1. Use the show crypto ca trustpoints command to verify that the trust point is empty.

2. Optionally, use the delete ca-certificate command in trust point config submode to remove the CA certificate from the trust point.